Autonomous AP as Wireless Bridge with Multiple VLAN

In last post we learned about how to setup a root and non-root bridge. In this post we will see the configuration for multiple VLAN on Root, Non-Root Bridge for wireless clients.

Topology is same as it was in last post: Autonomous AP as Wireless Bridge

Again here I will use WPA2-PSK to authenticate both WLAN. One WLAN for Root-AP to Wireless-Bridge communication and other WLAN for clients to authenticate.

We will not waste our much time on theory, let’s directly jump to configuration:

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii 7 094F471A1A0A464058
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 14141B180F0B7B7977
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

That’s all for configuration. Now we are ready to test a client for VLAN 81.

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.81.157    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations  003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 58 seconds
 Signal to Noise   : 82  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 25049              Packets Output   : 6732
 Bytes Input       : 4102567            Bytes Output     : 1025396
 Duplicates Rcvd   : 0                  Data Retries     : 1185
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 
Root-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.81.157       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
  
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 81
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

Autonomous AP as Wireless Bridge

In this post we will learn how to configure AP as wireless bridge. I tried to find the documents on cisco but they are very limited.

Let’s learn something about Wireless Bridges.

Here is my Topology:

Wirelessbridge1

I have two 1240 model APs.

Root-AP: 10.35.80.110

Wireless-Bridge: 10.35.80.111

A wireless bridge is a Layer 2 device; it connects two or more LANs, which can be in different buildings, through the wireless interface. Wireless bridges provide higher data rates and superior throughput for data-intensive and line of sight applications. Wireless bridges eliminate the need for expensive leased lines and fiber-optic cables and mostly used to connect two sites where either WAN line is not available or available but expensive.

In this post I will create a WLAN “RSCCIEW” to connect Root-AP & Wireless-Bridge.

Remembering Points:

  • It will always connect to Root-AP via Native VLAN.
  • It can support multiple VLAN. (Not like Repeater).

Let’s start with configuration:

Basic Root-AP/Wireless-Bridge Configuration with WPA2 encryption/single SSID.

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Once completion of configuration, we will these logs:

*Dec 17 12:44:24.301: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [None WPAv2 PSK]
Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
  
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -13  dBm           Connected for    : 267 seconds
 Signal to Noise   : 75  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 5988               Packets Output   : 3377
 Bytes Input       : 883945             Bytes Output     : 513196
 Duplicates Rcvd   : 0                  Data Retries     : 233
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#

Now let’s connect a client to Wireless-Bridge and see its status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.80.109    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 127 seconds
 Signal to Noise   : 81  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 26129              Packets Output   : 6816
 Bytes Input       : 4276916            Bytes Output     : 1048109
 Duplicates Rcvd   : 0                  Data Retries     : 1204
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0
 Root-AP#

*** If we want to authenticate Wireless-Bridge with LEAP(How to Authenticate with LEAP) or EAP-FAST(How to Authenticate with LEAP) then we have to use the same method as we did for Repeaters. Check my old post to use EAPFAST or LEAP to authenticate Repeater, Wireless Bridge, WGB, and Universal WGB.